Posted
by
CmdrTaco
on Tuesday November 30, 2010 @01:00PM
from the of-course-they-are dept.

Stoobalou submitted a story about some of the most obvious research I've seen in a while ... "A researcher from a Dutch university is warning that Facebook's 'Like This' button is watching your every move. Arnold Roosendaal, who is a doctoral candidate at the Tilburg University for Law, Technology and Society, warns that Facebook is tracking and tracing everyone, whether they use the social networking site or not. Roosendaal says that Facebook's tentacles reach way beyond the confines of its own web sites and subscriber base because more and more third party sites are using the 'Like This' button and Facebook Connect."

Some people seem to have the delusion that companies actually care about who you are and why you're clicking this and that, but they only care about your statistics. They want to know that single white 27 year old female likes Lady GaGa, not that Janet Doe likes Lady GaGa...

To me there are two problems: First and foremost, it is increasingly hard to find out who is included in that latter "them". So many external resources are linked in websites, from JS libraries to advertising to tracking cookies from collecting societies to Flattr to Facebook to Amazon to what the hell else there is, that even with Adblock Plus and NoScript I am sometimes overwhelmed with what to block and what to allow. And it is only getting worse.

It's trivial to block this -- just add a batch file nofb.bat that replaces your host file with the one that has facebook redirected to 127.0.0.1. If you use fb and wish to actually go there, you can have another bat file, gofb.bat which changes host file back to the one with facebook entry commented out (the bat file may call a little executable that flushes local DNS cache on your machine by resolving the affected domain name). In general case, if you wish to do this selectively for n tracking sites, with n>1, you will need one bat file that blocks all of them and one for each site that has just one site site unblocked, hence you need n+1 bat files. Also, going to any of the tracking sites to use their services will also cost you an extra click for in and out.

Note that google, digg and many others are doing the same kind of tracking, whether you subscribe to their site or not. You get ID on their servers attached to your cookies, tracking your visits anywhere where their bug is placed. That way they can sell to some site A which you are visiting now the fact that you have also visited sites B, C, D,... earlier (when and how many times each, what kind of content you used there, etc). Of course, if the tracking servers know who you are, they can also sell that info to sites A, B, C..., at a higher price.

Well, many home routers use 127.0.0.1 as the Info/Config page. I think mine uses 127.0.0.2, but still...

I hate to be negative, I really do. However, this post merely illustrates that you have absolutely no idea of what you are talking about.

Unless your router has a monitor and keyboard attached to it, it is impossible for any machine to talk to any other machine using any address that starts with 127. These are "localhost" addresses that always, always equate to the same machine the request originates from. In other words, your workstation.

Because the out-of-the-box default behavior for every popular browser is to download everything referenced, pass whatever cookie it happens to have whenever it does that, execute every such downloaded script, and so on.

Yep. I've been aware of this long before Facebook even added that feature. After all, this is the reason that most email programs/sites don't display images by default because spammers use it to verify/track email addresses.

The stupid thing is that the websites just give Facebook the free space without getting anything in return. FaceBook has a free ad on every single page that sites display the Like button on, and all the site gets is the chance that the user will add it to their list of liked things, and

The stupid thing is that the websites just give Facebook the free space without getting anything in return. FaceBook has a free ad on every single page that sites display the Like button on, and all the site gets is the chance that the user will add it to their list of liked things, and maybe--if the stars align--their addition will be reflected in someone else's feed and make it go viral.

This is mutual advertising. I understand why sites add the like and share this buttons.

I know people see the stuff I mark liked because I have lost "friends" over it:)

Yeah, that's what I use it for: advertising. Not to make money from it, either, but rather just to get the word out.

If someone is not a Facebook member I wonder exactly what they're so worried about, though. As mentioned, Google and DoubleClick and other analytic services do the same thing with your anonymized data, and in return you get statistics about the people visiting your site. That's what companies who base their revenues on advertising do. They all want to track you and aggregate your data so they

Meh, facebook is just connective tissue; grey matter. I don't really use it all that differently from twitter... actually most of my FB posts come from twitter.

The real content gets posted to Slashdot, LiveJournal, Blogspot, Flickr, Picasa, Youtube, etc., sometimes even Buzz. Twitter / FB are just open / closed syndication engines for that content, sort of like a consolidated form of RSS with some extra integration features.

Relevant to the actual subject, StumbleUpon has always provided a much better "Like" button... since it includes a "don't like" button and actually does something useful with the information you provide by giving you more random links that you would probably like based on what you have in common with the other people who liked that link.

Strangely, I have no desire to share this StumbleUpon "like" information with the rest of my IRL friends on FB / twitter, partly because our pr0n tastes can be quite different, but in general I just don't care to share links as a feed. If there's an article someone should read, I send them a directed email. If I find something funny, I might go so far as to post it to our IRC channel.

Come to think of it, I think FB / Twitter might just be some sort of gap filler for people who don't lurk on IRC.

I'm tired of Facebook because it needs no alternatives. Narcissists may need an outlet but they always have, but I dont need to be part of their constant need for attention. The one thing I thank Facebook for, is teaching me that my 'friends' have boring lives, and they have as little real interest in my life as I do in theirs. I find myself encouraged to go DO things that are worth posting, and having DONE something really worthwhile the reward has nothing to do with posting it on Facebook.

If you even have a facebook session going - and the controls for a "Like this" button are on the page, I wouldn't be surprised if that information gets stored.

"Hey you're logged in! Hey this control knows you're logged in, so it'll work instead of redirecting you to login. Hey, why don't we just send information back to facebook that you visitted this page, even if you didn't hit the like button!"

Would this shock anyone? I haven't proven it but its not far off nor technically impossible. In fact it's pretty

This effectively lets Facebook track the surfing habits of non-users as well.

Take this moment to make sure you have your browser's cookie acceptance set to "Only from sites I visit."

... Doesn't pretty much every site do that? Any of Google's Doubeclick ads are notorious for going through your cookies and finding the best product to put in front of your eyes. So wouldn't any site that serves up Doubleclick ads essentially have access to that information?

I now feel I have the courage to speak out about what happened one month ago.

I was walking home from a late night shift and noticed a glassy aero blue vehicle drive by me slowly. I couldn't see inside through the blue glass reflection but the vehicle moved at an ominous pace. I quickened my pace and made hast for my house now only five blocks away. I broke into a run at four blocks, I was so close to home and safety. But I heard the squeal of tires on pavement behind me and my pulse spiked. I covered the next two blocks as fast as the wind but the blue vehicle was faster. It pulled up onto my lawn in front of me and the doors opened as I ran by it. I didn't look, I couldn't look at them but I heard pixelated fingers running through the grass as I scrambled to find the key to open my front door.

I opened the door and turned around to slam it shut but there was a blocky thumb that caused it to bounce back. My wife came in to see what the commotion was about and screamed as the first hand with its blue cuff and erect them grabbed my ankle and tripped me. "Get the children to the panic room" I screamed. And in ten seconds my family was safe but I still grappled with the blue shaded hand holding me down mercilessly as three more hands with blue cuffs came in through the open door. Another held down my other ankle as the third raised his cuff to expose his fully erect thumb. The fourth pulled my pants down and I screamed in agony as I was viciously sodomized in my own living room while my family watched from the panic room camera. For hours it went on while the fourth Facebook 'Like' hand sat their smoking a cigar, laughing and rubbing his thumb and forefinger together when I asked why they were doing this to me. Why? Again, they rubbed their thumbs together with their fingers signifying money.

The police said I was powerless, I had given up my right when I had clicked through the Terms of Service to join Facebook. Zuckface could do whatever he wanted to do to me and I was powerless. The policemen told me to go back to my Farmville and watch my crops and just be happy the 'like' hands had left me alive, at least the Zuck had shown some mercy. Then they excused themselves and cautiously walked out to their squad car, hands ready on their sidearms, alert for any remaining 'like' hands.

There, there, fellow victim, I have a method to help you with this problem. Lay on your bed, look at your hand, now back to me, now back at your hand, now back to me. Sadly, your hand cannot stop the 'Like This' button, but if you stopped using Facebook and switched to Diaspora, you could avoid the blue terror like me. Look down, back up, where are you? You’re on a cloud with only about five hundred other users. What’s in your hand, back at me. I have it, it’s your mouse connected to your computer where you just need to enter your password one final time to leave Facebook. Look again, the mouse is now diamonds. Anything is possible when you're not promoting Facebook. I’m on a butterfly.

Even easier, I just keep Facebook sandboxed in a totally separate browser that never visits any other website. This browser is also equipped with adblocking, script blocking and so on.

They can't track you if you don't go anywhere. I also never click on links in facebook posts or on the facebook page - I copy and paste them into a text file and strip off any added facebook nonsense to get to the actual URL.

Except the article is about facebook tracking everyone on sites other than facebook, such as when you go to some stores website and they have a 'Like It' button for all their products... facebook is tracking you and that you've viewed that item, regardless of wether you have a facebook account or not.

That isn't going to help you. If you had read TFA you would know that this is about the Facebook Connect 'Like' buttons that have been showing up on many of the popular websites and how it tracks you behaviour even if you aren't signed up with Facebook. Essentially Facebook has become another cross-site marketing tracker which given their abysmal outlook on privacy shouldn't be a surprise but is still worth noting because of their prevalence.

+1. Best place to keep FB is on its own Web browser separated from everything else using SandboxIE or a VM. Then on the other Web browsers used for general browsing, have their cookies auto-blocked. If you want to "like" something on FB, cut and paste the link into the FB browser.

How about writing a browser extention that, in the background, visits all known sites that have the 'like' button (intelligently upgraded? That way, they won't know which sites you visited legitimately, thus the data they collect on you is worthless?

I honestly doubt that this is how it works. When I'm not logged in, that data does not appear. Also for the sake of clarity I must bring to light the fact that I have several FB accounts. This might screw their profiling (the profiles have wildly divergent interests and behaviors).

Again, this is only my personal account, so take it with a grain of salt.

I'm not going to argue with you on this topic. It is a personal choice, which I made based on my personal experience. You are free to have your own opinion, just don't judge others who choose to think otherwise.

You are free to have your own opinion, just don't judge others who choose to think otherwise.

That is a load of dingo's kidneys. The brain is one big meat-based discrimination machine. It lets you make yes/no decisions in an analog world. You felt free to share your opinion, and have clearly already made your own related judgments, but you don't want to hear anyone else's. You do not have the right to not be offended.

As for the Adblock/Noscript solution, I refuse to use it. I wore the hat of a webmaster and I know how important advertising is.

Well, I wasn't going to click on the ads anyway, so I'm sure as hell not going to use my bandwidth to view them. Just because you signed a contract with someone who sells ads, doesn't mean you signed one with me -- I don't ow any advertiser my time, my eyeballs, or my bandwidth.

If your site folds because I didn't allow ads, well, your site would have folded anyway, and someone els

I don't use adblock because I use some basic settings (no flash, block unrequested popups, block images from certain servers) that filter the real crap well enough most of the time. But that's not the point:

I don't mind well-targeted ads *that don't slow things down*, but we hardly ever see those anymore. I was astonished the other day when I was at some tech site and was served simple, fast-loading ads directly relevant to the site topic itself -- and I'm like, hey, get a load of these ads that I *don't* w

I put put 127.0.0.1 in my hosts file for facebook after my gf dumped me and I noticed almost every website calls the facebook like.ph url when you click on a link. Very annoying when trying to navigate with the back button

Facebook is going to track your activity. If you post your personal photos and information on a social networking site, it will more than likely be used for reasons other than you intended.
There, now let's all move on.

First, we dont really know they make any use of this data. They have the possibility, but they dont have to use it (its quite likely they do, but thats a different matter)
Second, to avoid sending this data they would have to either limit some functionality or go out of their way and create some special domains to avoid passing the cookies between the systems. And this would be for no gain for them whatsoever - "not stealing" personal information is never a news topic. Also the only people who actually can

That has been the subject of many blog posts and news items and it is why sites which care about your privacy do not use this button (they use "find us on facebook" buttons with simple HTML links instead of iframes hosted by facebook).

Facebook knows a lot about me: that I have no friends, no interests, and log in between the hours of 1 and 5AM from my mother's basement. I keep getting advertisements from Slashdot and World of Warcraft.

Noscript and "no cookies" are a start, but there's been plenty of evidence that the marketers are starting to dig even deeper than that. For example, linking all of the pages you visit (on their ad network) via IP address and Flash cookies.

And so many sites are using Javascript for the simplest things (like displaying images) and benefit from logons (Slashdot included) that it's really hard to just surf anonymously like we did 15 years ago.

You have a website that has pictures of you, your current whereabouts, mood, who you like, where you live, work, sleep, and every interaction with anyone else has just as much information pulled out and sorted. And you're bothered by the Like this button?!

You seem to be a Facebook user; I am not. If Facebook is tracking me anyway, then yes, I am bothered.

If you are in the habit of accepting and keeping every cookie ever offered to you, you were being "tracked" before Facebook got involved.

For my part I *really* don't care if the website I'm visiting is tracking my movements on its own site.

I -only- get irate when that tracking starts to follow me around after I leave.

I don't use facebook, and that near ubiquitous facbook icon on pages used to merely annoy me for being a waste of space and an eyesore. But I wasn't specifcially aware that it was actively tracking me if I ignored it. Perhaps if I had thought about it, I'd have realized that it was likely wired back to facebook and tracking me, but until now I hadn't.

So I do find this interesting. Not that I needed another reason to despise facebook.

And yes, other widespread tracking systems also do bother me; I've regularly criticized google's reach between its advertising and analytics numerous times here on slashdot.

I only recently discovered facebook's instant personalization "feature". I went to rottentomatoes and it showed movies that my facebook friends liked. This seems very inappropriate to me because how did rottentomatoes know who I am in facebook, without logging in or doing any kind of verification. Apparently rottentomatoes uses thirdparty cookies to fetch your facebook info and display it. This seems to mean that potentially any website can check who you are in facebook (if you are currently logged in). I was able to turn off this feature by disabling thirdparty cookies [mozilla.com] in Firefox.

More than anything this seems like a big privacy leak and is the fault of the browsers. This should be off by default [mozilla.org] in firefox and other browsers. If I go to rottentomatoes.com, I would expect that by Firefox would only send cookies back to rottentomatoes and should not even allow read access to other cookies while I'm on that page. The same goes for flash plugins and other scripts, etc. that read cookies, they should only have read access to the cookies for the current page.

You seem to be a Facebook user; I am not. If Facebook is tracking me anyway, then yes, I am bothered.

Every advertisement you see is tracking you. Every HTTP request tells people things about you by default. Facebook "like" buttons are just more advertisements. If you don't want to be tracked by facebook, install some sort of ad blocker and block facebook and their CDN. It's unfortunate that we have to do this sort of thing, but it's the nature of the internet and always has been. At least it's not a secret tracking pixel, which is way more worth getting annoyed about than any like button.

Exactly -- I've never visited Facebook (on my computer -- I've seen it on others'), but this article made me curious so I checked out my cookies. Surprise surprise, I have cookies from Facebook, a website I've never directed my browser to.

I accept all cookies b/c browsing the internet without doing so is just a hassle. But it should be reasonable to expect a company to keep their data off my computer when I've never visited their site. Fuck Facebook. And Fuck CNN for putting a Facebook cookie on my computer

They're tracking him because his user-agent downloads stuff from facebook every time it sees an iframe or script or img tag that points to flickr. Thus, it can do anything a doubleclick "tracking pixel" or "web bug" can do. And while that may be limited, it certainly isn't particularly limited by the fact that he doesn't have a facebook account.

People didn't (as far as they knew;-) have doubleclick "accounts" either, but there was still widespread loathing, until eventually everyone (and by "everyone" I

Yes. Perspective. What you choose to share with Facebook may be very different than what Facebook gets to know about you due to the proliferation of their "Like this" widget. And as others point out, not everyone chooses to share anything with Facebook.

While it isn't surprising, it is important to keep noting the ongoing invasion of privacy that occurs online. Analytics is pretty upfront about the fact that it is going to be collecting data while Facebook Connect is not and adding it to a site is likely to be a choice made by less savvy marketing types rather than the technically inclined who would automatically assume anything that can track will be tracking.

It is also worthwhile from the fact that it covers how it tracks non-facebook users and how if t